1 / 36

General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses

General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses. Joseph H. Schuessler, M.S., M.B.A. Doctoral Candidate University of North Texas. Dissertation Committee. Dr. John Windsor, Chair Dr. Chang Koh Dr. Audhesh Paswan

lexiss
Download Presentation

General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. General Deterrence Theory: Assessing Information Systems Security Effectiveness in Large Versus Small Businesses Joseph H. Schuessler, M.S., M.B.A. Doctoral Candidate University of North Texas Introduction – Literature Review – Methodology – Results - Conclusions

  2. Dissertation Committee • Dr. John Windsor, Chair • Dr. Chang Koh • Dr. Audhesh Paswan • Dr. Victor Prybutok Introduction – Literature Review – Methodology – Results - Conclusions

  3. Agenda • Introduction • Motivation • Conceptual Model • Literature Review • Research Model • Hypotheses • Methodology • Results • Demographics • Reliability • PLS Model • Hypotheses Summary • Conclusions • Discussion • Contributions • Limitations • Future Research Introduction – Literature Review – Methodology – Results - Conclusions

  4. In preparing for battle I have always found that plans are useless, but planning is indispensable. (Dwight D. Eisenhower) Introduction – Literature Review – Methodology – Results - Conclusions

  5. Motivation • Organizations are increasing their dependence on information systems (Abu-Musa, 2004; Barsanti, 1999; Kankanhalli et al., 2003) • Information Systems Security (ISS) has never consistently ranked among the top 10 concerns of management (Ball and Harris, 1982; Dickson et al., 1984; Brancheau and Wetherbe, 1987; Brancheau et al., 1996; and Pimchangthong et al., 2003) • Costs associated with security incidents continues to rise (CERT/CC, 2004; CSI/FBI Computer Crime and Security Survey, 2007) • Legislators are paying more attention to security than management (Hoffer and Straub, 1989) • Greater concern from management is needed (Dhillon and Backhouse, 2000) Introduction – Literature Review – Methodology – Results - Conclusions

  6. Conceptual Model Introduction – Literature Review – Methodology – Results - Conclusions

  7. Literature Review • Countermeasures • “…an array of organizational devices to deter, prevent, or detect security breaches” (Kotulic and Clark, 2004, page 599). • General Deterrence Theory • Posits that individuals can be dissuaded from committing antisocial acts through the use of countermeasures which include strong disincentives and sanctions relative to the act (Straub and Welke, 1998). Introduction – Literature Review – Methodology – Results - Conclusions

  8. Literature Review (Continued) • Deterrence • Defined by Merriam-Webster as “the inhibition of criminal behavior by fear especially of punishment.” • Prevention • Defined by the American Heritage dictionary as “a hindrance or an obstacle.” • Detection • Defined by the American Heritage Dictionary as “the act or process of discovery.” • Remedy • Defined as “a legal order of preventing or redressing a wrong or enforcing a right” by the American Heritage Dictionary. Introduction – Literature Review – Methodology – Results - Conclusions

  9. Literature Review (Continued) • Organizational Factors • Organizational Size • Organizational size is positively related to the use of deterrent efforts (Kankanhalli et al., 2003) • Smaller businesses suffer from “resource poverty” which results in less effective ISS efforts (Stephens, 2003) • Industry Affiliation • Industry affiliation related to the use of deterrent efforts (Kankanhalli et al., 2003) • Certain industries more susceptible to computer abuse than others (Hoffer and Straub, 1989) Introduction – Literature Review – Methodology – Results - Conclusions

  10. Literature Review (Continued) • Threats • “…a broad range of forces capable of producing adverse consequences” (Loch et al., 1992, p. 174) • There is a dynamic nature to threats • Only anecdotal and practitioner belief that a relationship between threats and countermeasures exists Introduction – Literature Review – Methodology – Results - Conclusions

  11. Literature Review (Continued) • Non-Recursive Relationship Between Threats and Countermeasures • The relationship between threats and countermeasures can be likened to a cat and mouse game • Using Complex Adaptive Systems Theory (Holland, 1992) to explain this relationship Introduction – Literature Review – Methodology – Results - Conclusions

  12. Literature Review (Continued) • Information Systems Security Effectiveness • Relatively little research has focused on ISS Effectiveness • Phelps (2005) developed an instrument which covered multiple security domains • Kankanhalli et al. (2003) developed a more parsimonious construct Introduction – Literature Review – Methodology – Results - Conclusions

  13. Literature Review (Continued) • Information Systems Security Effectiveness (Continued) • Deterrent and Prevention Efforts positively related with ISS Effectiveness (Kankanhalli et al., 2003) • Detection and Remedy Efforts have not been examined in relation to ISS Effectiveness Introduction – Literature Review – Methodology – Results - Conclusions

  14. Research Model Introduction – Literature Review – Methodology – Results - Conclusions

  15. Hypotheses • H1: Organizational Size will be positively associated with the use of each GDT construct: H1a, H1b, H1c, H1d • H2: Industry Affiliation will be related to each GDT construct: H2a, H2b, H2c, H2d • H3: Threats will be positively associated with Organizational Size • H4: Threats will be related to Industry Affiliation • H5: Each General Deterrence Theory construct will be positively associated with ISS Effectiveness: H5a, H5b, H5c, H5d Introduction – Literature Review – Methodology – Results - Conclusions

  16. Hypotheses (continued) • H6: Threats will be positively associated with each General Deterrence Theory construct: H6a, H6b, H6c, H6d • H7: Each General Deterrence Theory construct will be related to Threats: H7a, H7b, H7c, H7d • H8: Organizational Size will be positively associated with ISS Effectiveness • H9: Industry Affiliation will be related to ISS Effectiveness Introduction – Literature Review – Methodology – Results - Conclusions

  17. Methodology • Two stages of data collection • Stage 1 - Structured Interviews: • 6 interviews with IS professionals • 337 minutes, 59 seconds • 96 pages • 43,696 words • Interviews were evaluated using MaxQDA • Threats coded following Loch et al. (1992) classification of threats • Countermeasures coded following GDT Introduction – Literature Review – Methodology – Results - Conclusions

  18. Methodology (continued) • Stage 2 – Online Survey • Survey developed from items identified from interviews • Items evaluated by two practicing security professionals • Pilot test was conducted • Survey administered to AITP using an online instrument • 73 usable responses • 4.9% response rate • Non-response bias Introduction – Literature Review – Methodology – Results - Conclusions

  19. Methodology (continued) • Data Analysis • Smart PLS was used • ability to handle small sample sizes • PLS does not impose homogeneity or normality requirements on data • Non-Recursive Relationship • Assessed using structural model without non-recursive relationships • Remaining relationships were assessed using a two-stage least squares Introduction – Literature Review – Methodology – Results - Conclusions

  20. Demographics Introduction – Literature Review – Methodology – Results - Conclusions

  21. Demographics (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  22. Validity/Reliability Introduction – Literature Review – Methodology – Results - Conclusions

  23. Validity/Reliability (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  24. Validity/Reliability (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  25. Validity/Reliability (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  26. PLS Model Coefficients Introduction – Literature Review – Methodology – Results - Conclusions

  27. Research Hypotheses Summary Introduction – Literature Review – Methodology – Results - Conclusions

  28. Research Hypotheses Summary (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  29. Research Hypotheses Summary (Continued) Introduction – Literature Review – Methodology – Results - Conclusions

  30. Discussion • Smaller organizations tend to use relatively more countermeasures • No relation between Industry and Threats • Industry Affiliation related to each countermeasure technique except remedy • Each countermeasure technique except detection related to ISS effectiveness • Threats were empirically shown to be related to all four countermeasure techniques • Non-recursively, Remedy and Prevention were also found to be related to threats • Organization Size and Industry found to be related to ISS effectiveness Introduction – Literature Review – Methodology – Results - Conclusions

  31. Contributions • Practitioners: • Can be used as an assessment tool • Can be used prescriptively to adjust security posture • Researchers: • Applies theoretically developed lens to the use of countermeasures • Extends the Information Systems Security Effectiveness construct developed by Kankanhalli et al. (2003) • Empirically tests the non-recursive relationship between threats and countermeasures Introduction – Literature Review – Methodology – Results - Conclusions

  32. Limitations • Cross Sectional Data • Common Method Bias • Threats are treated holistically Introduction – Literature Review – Methodology – Results - Conclusions

  33. Future Research • Layers of abstraction: • Siponen identified three layers of abstraction about which an organization’s information systems could be described • These layers could be used to further analyze threats, countermeasures, and ISS effectiveness. • Granular examination of threats: • This study identified four threat factors • Using Loche et al.’s (1992) classification scheme could provide greater insight for practitioners in terms of the sources of threats and the most appropriate countermeasures for each source. • Stage Analysis: • Identifying key stages and characteristics that firms go through as their security posture matures over time. Introduction – Literature Review – Methodology – Results - Conclusions

  34. Summary • This research had four goals: • Extend the ISSE construct • Explore a unique methodology to the IS discipline • Apply the theoretically developed General Deterrence Theory to an organization’s use of countermeasures • Empirically assess the relationships between threats and countermeasures Introduction – Literature Review – Methodology – Results - Conclusions

  35. A good plan violently executed now is better than a perfect plan executed next week. (George S. Patton) Introduction – Literature Review – Methodology – Results - Conclusions

  36. Questions? Introduction – Literature Review – Methodology – Results - Conclusions

More Related